Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Darkweb Data Breaches

Cyble Vision Alerts Darkweb Data Breaches

Back
Id588a2ee5-978a-43f7-9c10-6d76d82026ef
RulenameCyble Vision Alerts Darkweb Data Breaches
DescriptionDetects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.
SeverityLow
TacticsReconnaissance
InitialAccess
Exfiltration
Collection
TechniquesT1589
T1078
T1048
T1530
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml
Version1.0.0
Arm template588a2ee5-978a-43f7-9c10-6d76d82026ef.json
Deploy To Azure
Alerts_darkweb_data_breaches 
| where Service == "darkweb_data_breaches" 
| extend  MappedSeverity = Severity

alertDetailsOverride:
  alertDynamicProperties: []
  alertDescriptionFormat: |
        Username {{DB_Username}} Registration date {{DB_RegistrationDate}} Breach source {{Breach_Source}}
  alertDisplayNameFormat: CybleVision Darkweb Breach for {{DB_Email}}
kind: Scheduled
severity: Low
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 588a2ee5-978a-43f7-9c10-6d76d82026ef
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
status: Available
triggerThreshold: 0
queryPeriod: 30m
entityMappings:
- fieldMappings:
  - columnName: DB_Username
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: Domain
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: IP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DB_Email
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml
enabled: true
triggerOperator: GreaterThan
suppressionDuration: PT5H
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
subTechniques: []
relevantTechniques:
- T1589
- T1078
- T1048
- T1530
name: Cyble Vision Alerts Darkweb Data Breaches
queryFrequency: 30m
version: 1.0.0
query: |
  Alerts_darkweb_data_breaches 
  | where Service == "darkweb_data_breaches" 
  | extend  MappedSeverity = Severity  
customDetails:
  UserName: DB_Username
  PasswordHash: DB_PasswordHash
  Status: Status
  DisplayName: DB_DisplayName
  BreachDate: DB_Date
  Tags: DB_Tags
  AlertID: AlertID
  BreachSource: Breach_Source
  S3Key: DB_S3Key
  Structured: DB_Structured
  MappedSeverity: Severity
  RegistrationDate: DB_RegistrationDate
  LeakedEmail: DB_Email
  Service: Service
description: |
    'Detects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.'
tactics:
- Reconnaissance
- InitialAccess
- Exfiltration
- Collection